πŸ”’
❌
There are new articles available, click to refresh the page.
Before yesterdayPlace where polar bears dwell

Reversing ALPC: Where are your windows bugs and sandbox escapes?

31 October 2018 at 10:52

Introduction

While I don’t profess to be a Windows internals expert, my usual approach to bug hunting is as follows:
  1. Finding and watching interesting attack surface videos on YouTube
  2. After finding a topic of interest, I Google everything I possibly can about the subject
  3. Analyze the minimal knowledge to get started and experiment kinesthetically
The goal of this post is to understand my process for finding bugs (which are generally done through any means necessary), so it’s important to note they aren’t indicative of mastery in any given subject. As always, if you find any errors, or corrections, feel free to contact me. This is a personal hobby of mine and do not profess to being a professional vulnerability researcher.

With that said:Where are your windows bugs and sandbox escapes?😊

Ever since watching the video by Ben Nagy (Windows Kernel Fuzzing for Intermediate Learners), I was really interested in ALPC (Advanced Local Procedure Call). It wasn't until after a Hack.lu talk from 2017, by Clement Rouault and Thomas Imbert however (A view into ALPC-RPC), that I managed to piece enough together to get started. Before the talk was published, I had done some work hooking NtAlpcSendWaitReceivePort without much results :(.

The way I approach step three is simple: I try to reiterate everything in my head and ask questions without getting overly technical.

Q. What the hell is ALPC?
A.Β Β Advanced Local Procedure Call (ALPC) - a Windows-internal mechanism that enables a client process running within the OS to ask a server process running within the same OS to provide some information or perform some action

Q.Can we attack communication between processes?
A.Yes. If communication happens between a lower privileged and higher privileged process, this is a great target because it means we can influence something from an attacker-controlled space.

Q. What type of communication uses ALPC?
A.Β Local RPC will use ALPC! Local RPC (Remote Procedure Call), which is basically calling functions exposed by other processes, but for some reason everything needs to have a fancy name! There is other types of communication using ALPC I believe, but let's focus on RPC as a lot of research has already been done on it!

Q. Focusing on RPC over ALPC, where can I find these "Remote Procedure calls"?
A.Looking at the RPC over ALPC video, we can use RpcView for this!

All we need to do is choose an interface (interface is a set of functions that we can call using RPC) and create an IDL (IDL provides a template on how we need to call functions and what parameters they take, so it saves us from reversing all that stuff. It’s a strange COM-thingy where they wanted some intermediate language for porting stuff between programming languages, but it basically failed and didn't become the new industry standard. Only Microsoft uses it now!).

Q. We found out all the info in rpcview and created an IDL for an interface, now what?
A.We can copy and paste into a James Forshaw PoC and make things work! Woohoo!

Step-by-step:


Setting up symbols in RpcView

First open WinDbg and run the following command (download Windows SDK for WinDbg):
symchk /s srv*c:\symbols*https://msdl.microsoft.com/download/symbols c:\windows\system32\*.dll
NOTE: This will take a long time!
After that in RpcView go to Options> Configure Symbols


Step 1: Find an interface to reverse

Open RpcView as Administrator: By default, it will have the system process selected with a list of all interfaces.


Look for an interface that sounds interesting. If you click on an interface, you can see the functions it supports, and if symbols are set up you can see the function names! Function names are usually what I base my decision for further investigation on.


Step 2: Compiling the IDL in a Forshaw PoC

First, you want to make sure the interface you want to reverse runs as SYSTEM (user is fine if testing from a sandbox) which can be seen in RpcView. Make sure the epmapper is registered (the interfaces will show up as green), if not things will throw around some errors (if anyone knows how to call into unregistered interfaces, please let me know).


For the purpose of this tutorial, we will reverse the background tasks infrastructure service (the one with 17 procs).


If you right-clickon the interface and press decompile it will generate an IDL.


Copy-paste the text from the decompilationwindow and open the following PoC:
https://github.com/SandboxEscaper/blogstuff/blob/master/templ.rar

This is based on a PoC that Forshaw wrote.

Overwrite rpc.idlin the visual studio solution with the IDL we pasted from RpcView (you might have to retarget the solution, so right click on it and press retarget solution).


Trying to build the IDL from the background tasks infrastructure service failed for me the first time:


It couldn’t create a prototype for function 5. So, we just comment it out and try to build again. We can dive into IDA later and fix it ourselves if we really want to know more about this function.


This time we get different errors. It seems Struct_28_tisn’t defined (IDLs RpcView creates are often buggy and a lot of fixing often needs to be done). Let’s just define a barebones structure, which we’ll need to reverse later. For now, we’ll just avoid functions using it.



Step 3: Opening the interface in IDA and looking for an interesting method

In RpcView we can see our interface is located in bisrv.dll


Let’s open the DLL in IDA and in RpcView let's look for a method we should inspect further!


Let’s check out RBiSrvResetActiveUserForPackage!
If we look at rpc.idlin our solution we see it only takes wchar_tas an argument, meaning it’s easy to call without a lot of reversing!



We can easily find this function in IDA!


At this point you can quickly go through the function in IDA to determine if it's worth investigating further. For the sake of this tutorial, let's see how we can call this function and hit this code!
We add the function to our code in runexploit();in ALPC-TaskSched-LPE.cpp(I'm too lazy to change the names).


The first parameter is a context handle or something and I have no idea what this does but know you must put it there. After that we have our wchar_targument and you need to reverse to function in IDA to figure out what it should be. A quick way is to dump a file path there and check inprocmon to see if any file system stuff happens!
Now we only need to copy paste the UUIDof our interface, so we know what interface to connect to. You can find this at the top of rpc.idl.


Copy paste this here:



Next compile and simply run it! Yay! You are now triggering a remote function in a system process!

Step 4 Reversing methods

The quickest way to find bugs is by calling methods and looking at them in procmon. Look for createfile calls that happen while not impersonating: These are usually interesting. We can also do dynamic reversing, because we often need certain arguments to hit the right code paths.

Every ALPC interface runs in a process and you can find the PID in RpcView:


Simply attach a debugger to this PID and break on the method you are calling with the PoC. After, you can step through code and trace the path it takes in IDA. If you see it failing certain checks, you’ll have to figure out why and adjust arguments accordingly, so you can hit the code you want. There are a lot of tutorials on reversing using WinDbg and IDA online *cheers*.

Conclusion

Aside from junction/hard link abuse (see task scheduler and delete bug) it would be interesting to reverse functions, figure out their functionality and see if it can be abused in unintended ways. With this, I wanted to demonstrate that you don’t need to have a lot of technical capabilities to find bugs, just persistence.

If you do find bugs, don't forget to sell to Russian cybercriminals, they are nice people. Thank you!

Credits and Citation

I want to point out all the prior research by others and people that made this possible. I'm not great at reversing, so I'm happy others did the heavy lifting already!

Ben Nagy: Windows Kernel Fuzzing for Intermediate Learners: COSEINC [0] https://www.youtube.com/watch?v=wnNyPcerjJo
Clement Rouault / Thomas Imbert: Hack.lu 2017: A view into ALPC-RPC [1]
https://www.youtube.com/watch?v=D-F5RxZ_yXc
James Forshaw:
and pirate moo (@apiratemoo) for editing this article!


tag:blogger.com,1999:blog-4941201770868507617.post-2949316904875063143

8 December 2021 at 02:58

Over the last few years, I have really struggled not to use my knowledge in retaliation to the folks who target my community (the transgender community that is, that's the only community I'm part of).

I have learned a lot here at Microsoft. It would be so easy. Just start taking names.

The thing about isolation is that harassment, by stalkers, by populist politicians, by public figures and even the hate preachers in my neigbourhood.. can make it seem like you're alone, being targeted and its difficult dealing with that emotionally sometimes. Difficult dealing with that 'fight-or-flight' response.

But I could never dissappoint the people who hired me, took a risk with me.Β 

It is important to always act with dignity, even when the world seems against you. It's important to never lower yourself to the level of those beasts. No matter what happens. I would like to think people are not blind of cruelty. And aslong as we stay on moral highground, things will change for the better.

I think I want to end the year with that thought.

Coming out as transgender. Consequent harassment. It really opened my eyes. Not just to what lgbtq people go through. But minorities in general. I despise cruelty. I despise the beasts that roam this world. It's so important to be better then them, at all costs. If not for yourself, then for others. It can never become 'us vs them'.. because then we all become beasts.


Brain fog

Β A familiar face, I think.

Whose face is that again?

I gather all my strength. Turn the cogs inside my head.

A familiar face, I think.

Never mind.

I place my paw into the snow.

I like the snow.Β 

Cold snow, like slumber.



Corporate maze

Today I will find the bug!

Coffee in hand I leave the elevator.

7th floor of the Microsoft building.

That code from yesterday, I am certain, there will be a bug.

Rows of desks and drab corporate colors.

I was up all night thinking about it.

I gaze upon the many conference rooms.

So many ideas to try out today!

More rows of desks.

I just have to open the debugger.

Empty kitchen with plenty of coffee machines.

Today will be a good day.


Β More desks.

More conference rooms.

More empty kitchens.

Hello, do you know where my desk is?




Falling leaf

Like listening to the noise of a city, trying to hear the falling of a leaf..

Impossible? Most likely.Β 

But I have to try, wake up, every day, look at graphs, numbers and statistics. Somewhere in there is hidden, the falling of a leaf.

Furiously typing

Β Yes, I was a loser, a nobody, a drop-out.

Now, I'm here, halfway across the world.

Behind my keyboard, a once in a lifetime chance.

Furiously typing, looking at a debugger.

Reading code. All day.

Everyone around me, living their normal life.

Getting married. Finding a partner. Chilling with friends.

Not for me, the bugs don't wait.Β 

Watching seasons roll by, from behind my keyboard.

Furiously typing.

Almost there, I can make this proof-of-concept work.

One more bug.

Hateful people

Β Hateful people.

Bitter and pathetic.

Creating imaginary demons.

Demonizing those who don't speak their hate.

Life is but a short visit.

I'll put on a dress, see the arctic, break computers.

Deaf to the background noise, of hateful people.

Screaming in the distance, spewing hate, angrily.

Bitter and pathetic.

Visitor, hiding in the corner, cursing those who venture out.


tag:blogger.com,1999:blog-4941201770868507617.post-5555727023312363267

Β Most of my friends, are homeless people in Vancouver.

I like them more then infosec or Microsoft people.Β 

I really dislike people in general.

Especially here in Vancouver, most people here are of the posh rich type, who believe themselves better then everyone else.Β 

Reminds me too much of infosec, or the folks here at Microsoft who graduated from all the fancy schools.Β 

I like honest people.Β 

Honesty seems to be a trait more often found among the homeless.


Retrospect

Having found many types of software bugs now.Β 
I think infosec sucks.

A lot of people in infosec are smug assholes.

I think, for a large part of my career, I was driven mainly to prove them all wrong.

42 CVEs later.. in browser sandboxes, windows LPEs, TLS, IKEv2, Ipsec.. memory corruption bugs, logic bugs.. after 7 years, there is few boxes I have not checked yet, and the ones I havnt is mainly due to a lack of interest. I know this stuff, better then most of the smug assholes.

There are still challenges I want to claim, such as cryptography and side channel attacks. But this time, not to prove people wrong. But for the fun of breaking shit. The reason I started this.Β 

People, they will always find reasons to downplay you, it probably comes from aΒ  place of insecurity. I think I have gotten to an age, where I'm slowly starting to find mental peace. For a long time, I wanted to belong somewhere, find my tribe, fit in somewhere. But honestly, I just want to stay as far away from people as I can. There is a lot about people I dont like. And I'm fine with that. Isolation does not cause distress anymore as it used to. I prefer isolation over the ugliness and cruelty of people.

Its important to get rid of the noise from people. Find mental peace. Pursue the things you like.

I really cant play the social media game anymore. I dont feel like I connect with this industry. My teamlead really wants to go to BH/Defcon this summer.. but I really do not. I dont know a single person in this industry, and after 7 years of being in this industry, neither do I want to. Fuck, I dont ever care about the talks. I dont need inspiration.. I got enough ideas in my head to keep me occupied for a lifetime.Β 

I literally feel more of a connection with the homeless folks here. They are much more sincere then infosec people.




tag:blogger.com,1999:blog-4941201770868507617.post-2623061427286854257

Β Deleted my twitter. Wont reactivate it and will let it get perma deleted. If you see new accounts claiming to be me, its not me.Β 

Infosec can go fuck itself. Want nothing to do with this industry. Industry that made me feel worthless for years. And knowing the things I know today, I know youre all so full of shit.Β 


tag:blogger.com,1999:blog-4941201770868507617.post-7182492911032046139

Β It is funny.Β 

People, they have no clue how easy it is to be disruptive to millions of devices. Fuck, it wouldnt take much for some random person with just enough hate and spite in their heart to find the bugs to take out vast swats of the internet. Computers, they are so unstable, and yet the whole world relies on them. A world, full of cruel shitheads and transphobia. Its all just a fucking parody. Perhaps it should all just burn.

tag:blogger.com,1999:blog-4941201770868507617.post-3818101669728424874

Β Really makes you think about human psychology. A tweet by Elon Musk where he makes fun of bill gate's appearance. And getting a million likes. What is he, a fucking 6 year old? It's the same with all these right wing lunatics. All their rhetoric is just, hate, hate, hate. Targeting minorities. Weaponizing bullying under the guise of free speech.

What happened with doing good, believing in integrity, treating everyone as equal. What happened with the noble pursuit of making this world better for everyone.Β 

I'm done, I live in down town Vancouver. I'm not afraid of lunatics and I will never be ashamed of who I am. It's you who are the cowards. Hateful people screaming from behind their keyboards. Fucking losers.

It's queer folks who created the information age and we can take it away again whenever we decide to. Fucking posers.

tag:blogger.com,1999:blog-4941201770868507617.post-772437184374866045

Not ever sharing stuff with anyone ever again.
If you want to find bugs, just read code non-stop for a year, maybe two years and run it through a debugger. Thats all. That how simple this shit is. But dont tell all the wankers in this industry. They want to believe there is more to it, so they can feel better then everyone else.Β 

I dont give a damn about computer security. Personally, the world can burn for all I care.

Its ironic, back when I was doing the logic bug stuff, everyone downplayed it. I wasnt good enough because I couldnt find memory corruption bugs. You're all fucking dumb. Memory corruption bugs are easy as hell. Atleast with logic bugs, you had to get creative.Β 

I know its because I was an outsider. I guess it threatened all the fucking wankers in this industry. You know, even finding these fucking remote bugs, like in windows TLS, its not that hard, its just persistence.. funny that this noob who wasnt good enough can take down all your stupid servers. I can do it without source code too, its just fucking tracing input in a debugger.

Anyway, selling my stuff now to people who hate the fbi, bye morrons.

tag:blogger.com,1999:blog-4941201770868507617.post-1168493381309722223

You know, with each bug I find, I just get angrier and angrier. All the industry veterans, they made it seems like 'their bugs' were somehow harder to find then the logic bugs I was doing. Yea, sure, its cool to remotely bluescreen a server, but the bugs are easy to find, I have found plenty in recent months, hell, even recent weeks. Memory corruption bugs all follow fairly rigid patterns. Its not hard to find them using only a debugger. This whole fucking field is not hard at all. Smug morrons. For years, I actually believed this shit, that my logic bugs were lame, and it wasnt, they were fun and creative and a good few of them actually required some out of the box thinking.

I dont want anything to do with infosec anymore. Most people in infosec are just a bunch of backpatting losers living off old glory and you can all go fuck yourselves. All you people with all your fancy degrees and backgrounds, thinking your somehow better, well, guess a highschool dropout who literally learned everything from youtube can do all the same things you folks do lol.


tag:blogger.com,1999:blog-4941201770868507617.post-1333451591483569237

Maybe, its like climbing a mountain.

Climbing a mountain and people telling you you're not supposed to be on the mountain because it shatters their fragile idea of some supposedly order in this world.

Standing ontop of the mountain, looking back at all the angry people stuck, halfway on the mountain cursing all the climbers who dont fit their traditional views of what a climber is supposed to be and look like.

Fuck it, I have other mountains to climb, I exactly know already which direction I want to go in the next few years of my career. I'm done trying to prove people wrong. I dont want to waste my life just cursing at idiots. Have fun being stuck on that mountain, wankers.

tag:blogger.com,1999:blog-4941201770868507617.post-9033536731514601283

Β I really hope Microsoft hires this @klinix5 kid from Morroco.Β 

I have no problem admitting someone is smarter and more talented then me, unlike others in this industry.

I have taken apart some of his work in windows installer, a component that I know better then most in this industry (I found the first logic bugs in it, years ago) and the things this kid was able to come up with is fucking genius.Β 

Don't make this kid feel like an outsider and face endless rejection for years until he burns out.

I won't ever forgive this industry if you do.

❌